Currently we have multiple different hardware vendors performing all different parts of our layered security. Now that I think of it, we don't have more than one vendor performing security in every part of our network. (Firewalls, SIEM, antivirus, IPS, etc.)

I like Cisco and seeing what they can do with all areas of security running Cisco products is impressive. From your standpoint, would it be better to diversify the equipment to different vendors or have one manage them all. I know that Cisco might not be #1 in all categories, but when all their equipment is working together, I feel that you have a tighter network.

I am sure many people will have many different opinions on this.Cisco is for sure a good brand, with some quality products, and alot of companies are Cisco houses.

My personal opinion is where possible go for best of breed, and just not to put all your eggs in one basket. So I like to have a few solutions in the mix by different vendors. That way when a major issues flares up (some zero day attack) I will hopefully have some layer providing some protection.

Cisco are generally superior in what they do best, routing and switching. However, often the attempts to branch into different fields and features can leave a bit to be desired. They usually design and create devices with a high level of security, however it is often seen that the advanced 'features' are less secure.

For example this months security advisory lists several vulnerabilities in 'security' features; including vulnerable IPS features, potential data leakage from a VPN and even an issue with the humble NAT. (Full advisory here)

I'm not trying to claim that Cisco devices are less secure than other manufacturers, it could easily be the case competitors are just less open regarding their bugs; and if you want to move to a single manufacturer for all devices you could certainly do worse than go with Cisco.

It is usually the case though that those specialising in a specific technology will produce a better product than generalists, providing you stick to the big boys. Best-of-breed devices usually have that label for a reason.

I think Dale and RoleReversal summed up the majority of my opinion, other than, it is kind of like asking which is the best OS; MAC, Linux or Windows? You are gonna get so many answers it is rediculous. In most cases, he who throws the most money at promoting/advertising their product wins, which Cisco has done a great job at.

I can give you one product that I have not had much luck with...Linksys, which is put out by Cisco. For their high-end stuff to work pretty good most of the time, they sure as hell can't get the home market down, of course, that's my opinion and the experience I have had with several Linksys routers.

To the OP, remember, don't put so much faith in one product. One weak link can break the whole chain. As RoleReversal pointed out, Cisco consistently has its share of vulnerabilities, which does not necessarily make it a bad product. But, having other solutions in place is a wise choice.

I think it matters a lot (personal preference) because Cisco security products have steered away from mostly being point products several years ago. For the past couple of years, they've focused on collaborating each security controls together to integrate with another & even escalate the security of other Cisco security solutions.

Security no longer becomes an afterthought or a necessary evil, but a security architecture that's designed to scale to Government & Compliancy requirements (like PCI, HIPPA, SOX) which goes far beyond just a simple firewall.

With there recent purchase of Ironport they have stepped up there arsonal of network security by ten fold. I recently was able to attend a demo on the Ironport and was very impressed with there product. My company is now using a largescale Ironport as a virusgateway and email scanner and it's working very well.

Yup. Ironport works as a wonderful email & web content filtering front end which also collaborates with Cisco's Security Agent (CSA) to reinforce Data Loss Prevention, or info leakage through email.

Their latest acquisition this past summer will really ramp up network security with role-based application enforcement/security. And like their other security offerings, it will probably work together which will take it to the top IMO.

Last edited by charlottebandit on Tue Dec 30, 2008 10:16 am, edited 1 time in total.

dalepearson wrote:Like I said, dont put all your eggs in one basket (all one vendor) unless there is a strategic reason.

Multiple layers is the key, and if this can incorporate various vendor offerings the better.

The problem with this approach is that you must become equally proficient with multiple products. For example, using two different firewalls would prevent an exploit in one from working on the other, but at the same time, you may increase the likelihood of configuration errors. I'm not outright disagreeing with you, since that approach does have benefits as well. I'm just offering an alternate perspective because I think some people develop a false sense of security by taking the multi-vendor approach.

dynamik wrote:The problem with this approach is that you must become equally proficient with multiple products. For example, using two different firewalls would prevent an exploit in one from working on the other, but at the same time, you may increase the likelihood of configuration errors. I'm not outright disagreeing with you, since that approach does have benefits as well. I'm just offering an alternate perspective because I think some people develop a false sense of security by taking the multi-vendor approach.

To get around that for example in my company's environment we have a team of individuals whom work on certain aspects of the infrastructure. Each one has their own specialty and have a working proficiency in the rest. So in all everyone can work with everything, but we have an expert for each technology. So for major changes the SME would either complete or review all configuration changes to ensure there are no issues. Nice to see you over here dynamik

I'll second that. If this place was only full of experts, it would be a very lonely place. None of us are perfect, and I can guarantee that none of us know everything about this field. There is simply too much. And what has been picked up along the way, we all want to share it with those behind us as those in front of us did for us.

Keep it up and spread the word to other lurkers who may feel the same.

I'm actually not too nervous; that was more of a compliment to you guys. This seems like a great forum with respectful, knowledgeable members, so I don't think there's any reason to experience n00b anxiety when posting

I'm fairly tech-savvy, but I'm still quite new to the ethical hacking scene. I was introduced to this site by a few people I know from techexams.net (where I'm slightly more active). I'll definitely be recommending this site to other EH enthusiasts.

TE is king when it comes to IT certifications (though very specialized ones such as the GPEN don't get much mention), but the level of depth you guys get into is astounding. This appears to be a phenomenal resource, and I'm very much looking forward to going through the forums, blog entries, columns, etc.

Well, I think that's enough chatter; I have a great deal of catching up to do